mirror of
https://github.com/feder-cr/invisible_playwright.git
synced 2026-06-13 08:55:12 +02:00
62cdf626a0
B6: pin every third-party action in the build/publish path to an immutable commit SHA (a retagged actions/checkout or action-gh-release would otherwise inject code into the binary users download). The other workflows (tests, webrtc, launch-matrix) handle no secrets, so they're left on tags. B4: the playwright pin lived in two workflow files with no shared source. Move it to scripts/playwright_pin.txt that both read, so they can't drift. The drive gate already ENFORCES playwright<->juggler compatibility (an incompatible pin fails the launch/drive and nothing publishes); the file is the single bump point when the juggler is re-synced.
111 lines
4.8 KiB
YAML
111 lines
4.8 KiB
YAML
# ─────────────────────────────────────────────────────────────────────────────
|
|
# verify-assets.yml — re-runnable DRIVE GATE for an EXISTING release's assets.
|
|
#
|
|
# release.yml drive-gates every binary it builds. This does the same drive test
|
|
# WITHOUT rebuilding: it downloads a release's already-published assets (works on
|
|
# DRAFT releases too via GITHUB_TOKEN) and drives each one on its native runner.
|
|
#
|
|
# Use it to:
|
|
# • drive-test a release that was built before the in-pipeline gate existed
|
|
# (e.g. firefox-9, built on the old release.yml), or
|
|
# • re-verify any shipped release on demand (regression check).
|
|
#
|
|
# Same single-source-of-truth drive logic as release.yml: scripts/ci_drive_gate.py.
|
|
# Headless, no screenshot → GPU-free. Zero proxy / zero secrets.
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
name: verify-assets
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
release_tag:
|
|
description: 'release tag whose assets to drive-test (e.g. firefox-9)'
|
|
required: true
|
|
|
|
permissions:
|
|
# write (not read) is required: GitHub only exposes DRAFT releases to tokens
|
|
# with push access. With contents:read, `gh release download` on a draft tag
|
|
# 404s ("release not found"). This workflow only READS assets — the elevated
|
|
# scope is solely to make draft releases visible to GITHUB_TOKEN.
|
|
contents: write
|
|
|
|
jobs:
|
|
drive:
|
|
name: drive-${{ matrix.leg }}
|
|
runs-on: ${{ matrix.runner }}
|
|
timeout-minutes: 25
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
# --full (interaction) only on the reliable linux-x86_64 leg; others run
|
|
# the robust SMOKE drive. Same rationale as release.yml's gate.
|
|
- leg: linux-x86_64
|
|
runner: ubuntu-24.04
|
|
kind: linux
|
|
asset: firefox-150.0.1-stealth-linux-x86_64.tar.gz
|
|
extra: '--full'
|
|
- leg: linux-arm64
|
|
runner: ubuntu-24.04-arm
|
|
kind: linux
|
|
asset: firefox-150.0.1-stealth-linux-arm64.tar.gz
|
|
extra: ''
|
|
- leg: win-x86_64
|
|
runner: windows-latest
|
|
kind: win
|
|
asset: firefox-150.0.1-stealth-win-x86_64.zip
|
|
extra: ''
|
|
- leg: macos-arm64
|
|
runner: macos-15
|
|
kind: mac
|
|
asset: firefox-150.0.1-stealth-macos-arm64.tar.gz
|
|
extra: ''
|
|
- leg: macos-x86_64
|
|
runner: macos-15-intel
|
|
kind: mac
|
|
asset: firefox-150.0.1-stealth-macos-x86_64.tar.gz
|
|
extra: ''
|
|
steps:
|
|
- name: Checkout wrapper (for scripts/ci_drive_gate.py)
|
|
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with: { fetch-depth: 1 }
|
|
- name: Download the release asset (draft releases included)
|
|
shell: bash
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
set -e
|
|
mkdir -p art
|
|
gh release download "${{ github.event.inputs.release_tag }}" \
|
|
--repo "${{ github.repository }}" \
|
|
--pattern "${{ matrix.asset }}" \
|
|
--dir art
|
|
ls -la art/
|
|
- name: Set up Python
|
|
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
|
|
with: { python-version: '3.11' }
|
|
- name: Install Playwright driver (no bundled browser — we override executable_path)
|
|
# Single-source pin (see release.yml); the drive gate enforces juggler compat.
|
|
shell: bash
|
|
run: python -m pip install --quiet "playwright==$(cat scripts/playwright_pin.txt)"
|
|
- name: Linux system deps for headless firefox
|
|
if: matrix.kind == 'linux'
|
|
run: sudo "$(which python)" -m playwright install-deps firefox
|
|
- name: Extract + locate firefox binary
|
|
shell: bash
|
|
run: |
|
|
set -e
|
|
mkdir -p ff
|
|
A="art/${{ matrix.asset }}"
|
|
case "${{ matrix.kind }}" in
|
|
win) python -c "import zipfile; zipfile.ZipFile('$A').extractall('ff')"; EXE="ff/firefox.exe";;
|
|
linux) tar xzf "$A" -C ff; EXE="ff/firefox";;
|
|
mac) tar xzf "$A" -C ff; EXE="ff/Firefox.app/Contents/MacOS/firefox";;
|
|
esac
|
|
[ -e "$EXE" ] || { echo "ERROR: firefox binary not found at $EXE"; exit 1; }
|
|
chmod +x "$EXE" 2>/dev/null || true
|
|
echo "FF_EXE=$EXE" >> "$GITHUB_ENV"
|
|
echo "located: $EXE"
|
|
- name: DRIVE GATE — Playwright launch via juggler + real page (+ interaction on --full)
|
|
shell: bash
|
|
run: python scripts/ci_drive_gate.py "$FF_EXE" ${{ matrix.extra }}
|